The Legacy Sunbelt Software Blog
The Great Years: 2004-2010
A few weeks ago, I blogged about porn/malware redirects being hosted on Flickr. After a brief respite, it’s back and strong.
Just a quick and trivial search shows over hundreds of porn redirect links, pushing “lolita porn” and redirecting to porn and malware sites.
And again, a list of bad sites is here.
Alex Eckelberry
Here’s something that looks like Skype, may or may not give you Skype but certainly wants something in return for it first.
So far, so good I guess. It’s all in Russian of course, but it looks like it is actually installing Skype.
Then this happens.
There are over 3,000 malicious sites on Typepad serving malware. I’ve put the list of malicious domains here. I’ve also notified Typepad.
Typepad — get a clear abuse or security contact on your site, and do some work to police your blogs.
Alex Eckelberry
I don’t want your heads to explode with the force of a thousand Suns, but I think we may be looking at a new Rogue AV gimmick – specifically in the area of Codecs. I know, I know. Breathe deeply and take a seat.
Researcher Adam Thomas was investigating some FakeVimes Rogues, installing one of the fake products from the usual “Your PC has been infected” website:
He then got ready to take in the sights when this happened: nothing.
No fake security tool asking for payment or telling you the PC has about a million fictitious infections on it, no flashing lights, nothing at all. He rebooted the test machine – still nothing (sometimes a rogue won’t rise from the depths until you restart the machine. Surprise!)
This is a typical FakeVimes GUI:
This is not a typical FakeVimes GUI:
You can see what I did there. Anyway, this is a sample of some of the files found on the infected machine:
c:Documents and SettingsAll UsersApplication Data7f0924VD7f0_2326.exe
c:Documents and SettingsAll UsersApplication Dataipe.exe
c:Documents and SettingsAll UsersApplication DataipFRed32.dll
c:Documents and SettingsAll UsersApplication Dataipinstr.ini
c:Documents and SettingsAll UsersApplication DataipSmartGeare.exe
c:Documents and SettingsAll UsersApplication Dataipspoof.avi
c:WINDOWSsystem32c_726535.nls
Adam went off to the main folder where all the nasty things reside, and found something interesting lurking:
“Spoof.avi”? Well, hello there. Let’s see what you get up to in your spare time:
A “Your Codec version is too old” message, complete with popup in the bottom right hand corner telling you to “Update your Codec”.
Is this FakeVimes variant designed to prevent you watching movies while making the creator some cash into the bargain? Let’s take a look. Opening up a random website to view some files gave some interesting results.
This is what happened when Adam downloaded a video and tried to play it:
“Windows Media Player cannot find the selected file”.
Not to be beaten, he tried to stream the file instead. Then they schooled us with science. And a large popup.
“Your player cannot display this video file. Click here to update the Codec”.
At this point, you might be expecting infection files, but you’re already infected. So what are they going to do?
This:
“Home Codec pack and video converter suite: This version contains a full package of codecs enabling you to watch video in the best quality possible”.
Yes, and my name is Elvis. Hitting the (extremely large) Purchase buttons will give you this “Show me the money” payment screen, asking you for up to $35.95 for the “Home” version, plus an optional $9.95 to “Protect your purchase” with an extended download service:
Call it a hunch, but I think the best optional extra here is to run in the opposite direction from this particular fiasco. Of course, it makes sense for the people behind these attacks to start mixing things up a little – FakeVimes has been all over the news recently, and not in a “We love you, FakeVimes” kind of fashion. More like a “FakeVimes, we hate you and we want you to die” fashion as Google took the unprecedented step of warning millions of infected users about it last week. From the Google help page on this one:
A warning appears at the top of the search results page when we believe that the computer you’re using is infected with malicious software, also known as “malware.” Malware can be used to intercept your computer’s connection to Google and other sites. When Google’s system detects that a connection has been intercepted, it’s likely that the computer was previously infected with malicious software.
With the heat coming around the corner, the FakeVimes people have decided to diversify into a sort of “Rogue Codec” market instead, and it looks like things could be interesting in Rogue AV land for a while as their otherwise glacier-like tactics (“You’re infected, have some Rogue AV, thanks for the money”) begin to change.
We detect this one as VirTool.Win32.Obfuscator.hg!b (v).
Christopher Boyd (Thanks to Adam Thomas for finding this one)
Here’s a site located at buburuzka(dot)com/xhupt/71093(dot)php offering up some fake Flash. Humorously, they don’t seem to have taken much notice of the latest Flash Player version – compare and contrast:
As you can see, a bit of a difference there. Of course, they’re hoping the victims they attract to a scam like this won’t pay much attention to what they’re clicking on, never mind confirm that the Flash numbering offered matches up with reality.
We detect this as VirTool.Win32.Obfuscator.hg!b1 (v), another 2GCash clickfraud Trojan, and the VirusTotal score is currently at 5/43.
Christopher Boyd (Thanks to Patrick Jordan for finding this one)
This is the National Development Volunteer Service of Nepal located at
ndvs(dot)gov(dot)np/_vti_cnf/customer(dot)ibc(dot)htm:
This is an unwelcome addition to the website in the form of a Lloyd’s TSB Phish.
It’s still live at time of writing, but it’s been reported so let’s hope it’s taken down and the site is cleaned up soon.
Christopher Boyd
I don’t know what it is about this one that sets the Spidey Sense tingling.
Maybe it’s the fact it promises to make things all too easy – Vader reference there for anyone keeping score – for the lazy crook.
Maybe it could even be the fact that the filename has “666” in the title, which is generally a reasonable indicator of fiery flames and pointy pitchforks. Who knows.
What I do know, is that this thing is an Autowhaler and promises an easy haul of plundered bounty on the high seas. For those of you who have no idea what I’m talking about – it’s okay, you don’t have to spare my feelings – I’ll now explain.
Autowhalers: What they are, and how they came to be
Autowhalers come in two flavours (no, not vanilla and chocolate) – websites, and programs. You can see an example of a website Autowhaler here. Imagine you’re a Phisher. You have an awesome collection of stolen logins and you can’t wait to crank out some viagra spam.
Now imagine I’m the laziest phisher who has ever lived.
I’d like a collection just like yours, but there’s no way I’m going to put any effort into obtaining such a stash because I have people from overseas to scream at on XBox Live. No, I’ll just fire up an Autowhaler which checks known Phish URLs for common places where a productive Phisher would keep their logins (/passwords(dot)html or /logins(dot)html, for example).
Then I steal all your things, and do whatever I want with them – which probably doesn’t include leaving them on free webhosting for all and sundry to plunder.
At this point, the “666 Auto Whaler” comes back into play and our would be Phishing King thinks, well, it looks legitimate and it even comes with a handy .txt file pointing out common places Phishers would attempt to hide their wares. What’s the worst that could happen?
Well, a 29/43 VirusTotal report for starters. But wait – that’s not the worst. That’s not even close to being the worst. No, the worst is right over here in your Temp Folder:
Hello there, Cryptedfile.exe – if that is your real name.
Which it isn’t. Step up to the plate, Trojan-PWS.Win32.Fignotok.A (v) – a known password stealer that generally likes to dabble in everything from gaming account logins to Instant Messaging and more besides.
36/43 VirusTotal score, Ladies and Gentlemen.
Now, there may well be a legitimate version of this tool floating around out there. It may even look like this:
Password stealer creators targeting Whalers going after Phishers may sound like a humorously confusing mess of bad people hitting each other in the face with bricks – and don’t think I haven’t thought about it – but the gag quickly evaporates once Little Jimmy loses five sets of credit card details to the void.
I love the smell of some Twitter spam in the morning. iPads, iPods, books, movies, videogames, free holidays: I’ve seen – and blocked – them all.
Then this happened.
Yes, Twitter users are being sent, er, a free “arse”. Quite a lot of them, actually:
The app itself is fairly standard in terms of what permissions it asks for:
It seems likely that someone, somewhere has set up a collection of spambots to autopost these messages to any Twitter users that have said the word “arse” on their feed, for the sole purpose of humour or whatever (except that it isn’t really very funny but never mind).
Hopefully the two Yahoo phish pages listed below won’t be online for too long:
Click to Enlarge
They’re located at
nudeyahoo(dot)hi2(dot)ro/foto/
and
maill-yahoo(dot)com
Christopher Boyd (Thanks to Wendy for finding these)
Batman. His interests include being vengeance, the night and also kicking people in the face.
Something Batman probably doesn’t enjoy so much is seeing the trailer for his new film leak, then be turned into an instrument of evil (or at least poor web marketing and cheap tricks). In fact, you know it’s time to strap yourself in for another security trainwreck when you hear about the leaked Dark Knight Rises trailer, fire up Youtube and see…
Batman, everybody!
There’s a similarly authentic looking Youtube clip here:
Clicking the link takes you from xisworld(dot)com to rrgr(dot)info/news(dot)php where the Dark Knight is apparently being hunted by, er, FOX News:
You’re offered an install of FREEzeFrog, ShopperReports, QuestScan address bar and blinkX Beat. Readers will be familiar with these types of install. As you may have already guessed, there is no Batman trailer or any FOX News for that matter.
Here’s an example of a site offering “the full movie”.
I’m not sure which I trust less, the clipart logo or the fact that the trailer is the fake one containing Robin Williams and clips lifted from Se7en and Aeon Flux. Clicking the links take to to various sites wanting you to “sign up” to watch the movie, often asking the user to provide card details and validate their account.
Good luck with that.
I’m going to go out on a Batman snapped limb here and take a wild guess that you won’t be seeing the full version of Dark Knight Rises anytime soon – certainly not from random Youtube vids promoting installs, surveys and “watch movies anytime” services.
You don’t have to be the World’s Greatest Detective to work that one out.
Christopher Boyd
Here we have a website claiming you can “Play Super Mario Online”, complete with looped Youtube video and a large “Start Here” button at the bottom of the page.
playmario4free(dot)com/networks/vc/index(dot)html
As you’re about to see, The Princess is most definitely in another Castle.
Hitting the “Start Here” button downloads a file called “SuperMario.exe”. However, this isn’t so much “It’s a me, Mario” as it is “It’s a me, a bunch of other stuff instead”.
We’re still looking at it, but the “competitor killer” file has a rather interesting name – especially if you remember these antics from 2004/05. Here’s an example of adverts appearing on Facebook with this installed:
We informed Zugo about this bundle, and they reported to us that they were in the process of identifying and terminating the affiliate responsible. At time of writing, our US based researchers confirm Zugo is still appearing in testing, whereas other regions end up with something altogether different. For example, this one is from the UK – say hello to “FaceTheme”:
Christopher Boyd (Thanks to Matthew for finding this one)
Update 1: Matthew performed some additional analysis on the competitor_killer.exe. Here’s a list of the apps it targets (based on strings found in the file) – notice FaceTheme is listed, even though it is appearing in installs alongside Web Essentials above…
FBLayouts
GamePlayLabs
Yontoo/PageRage
FaceTheme
Cartoonly
Our friends at Commtouch have blogged about something that is no surprise — spammers using compromised accounts vs. bots (their latest threat report is quite good and worth reading btw).
While compromised email accounts (hotmail, yahoo, gmail, etc.) are not new, there is a little more to it: There was a massive takedown of a major spam operation by Microsoft several months ago. This led to spam levels dropping to their lowest rate in three years. Gamechanger for the spammers. So what we’re likely seeing is a) the percentage of spam from compromised accounts increasing, because Rustock is out of the equation (the mix of compromised accounts vs. legitimate has changed) and b) it’s just getting harder to use botnets, so they’re going after compromising existing accounts. Since Commtouch didn’t publish data as to the raw actual numbers of compromised accounts vs. bot spam, it’s difficult to tell.
Nevertheless, bots are still out there. But compromised accounts gives spammers the ability to hijack the reputation of an existing user and service (hard to blacklist all of Hotmail, for example). You could spoof an email to look like it’s from gmail or Hotmail (and there is a lot of that), but that’s not nearly as powerful as a compromised account, because the IP ranges are trusted by spam filters, and generally, the sender is trusted by you (it could be a family member, or a friend).
You can see in the chart below that Hotmail is more compromised than Gmail. Gmail spam is almost all spoofed — simply creating a fake gmail address in the From address — a poor way of getting by spam filters.
However, it’s not necessarily pharmacy ads and the like. There’s plenty of malwere. There’s also malicious links, which themselves can pose a greater problem, because malware is often caught going through an antivirus filter (either because of attachment policies or because the malware itself are caught). However, malicious links from a trusted sender present a far bigger problem.
For example, here’s a current spam run using a compromised Hotmail account we saw yesterday (they simply stole the user credentials), pushing a rogue antivirus product:
Same spam run, both with the same results – clicking on the link redirects one to a page that looks like this:
This pushes a download of WinWebSec SecurityShield, with atrocious detection by AV vendors. So antivirus detection being awful in this case, the emphasis becomes on defense-in-depth. A good spam filter may or may not help, because this email comes from one of your trusted senders and may be ignored, depending on your policies. A good web filter would certainly help significantly. And so on. However, since social engineering is at play here, education is of tremendous importance.
Alex Eckelberry
Our good friends over at Symantec love VIPRE so much, they’ve decided to use the logo in their new marketing campaign!
We prefer our colors, of course (I like blue) but otherwise, not a bad copy of our logo.
Imitation is the sincerest form of flattery!
Alex Eckelberry
Last week, you could (in theory) been searching for the country singer Katie Armiger.
No, I have no idea who she is. Anyway, this is what you would have seen:
Click to Enlarge
Number One with a bullet, or at least a baseball. At time of writing, the site seems to be fixed (there’s a lot of pink and frilly dresses on it, so I assume it’s fixed).
Elsewhere, we’re seeing quite a few phishing pages pretending to be Facebook security checks.
“Did you log into Facebook from somewhere new?”
Click to Enlarge
Over at the Malware Protection Center, we’ve seen a steady stream of Privacy Center clones and the odd FakeVimes Variant. Sporting names such as Windows Armature Master, Windows Accurate Protector and Windows Test Master, you can be fairly certain that seeing the below is a sign of infection:
Click to Enlarge
Finally, another example of why you shouldn’t reuse passwords. I’m willing to bet a lot of people use the same password for both their Steam account and the EMail address associated with it. This makes you easy pickings if you lose either one to a phisher. However, split those logins up and should the evil Steam phisher grab your Steam details, when logging in on their PC they’ll see this appear:
Yes, Steam will pull them up about logging in from a new computer. At this point, an EMail is fired to your associated account and the phisher isn’t going to get very far without access to your mailbox:
Click to Enlarge
Good, eh?
Of course, this security procedure isn’t going to help the user much if they reuse passwords. For everyone else, it’s one last chance to regain control of a compromised account.
You don’t reuse passwords, do you?
Christopher Boyd
Update: Looks like we’re all clear — all links have been removed.
Well, this is certainly a busy time for the porn/malware bad guys. The same folks who apparently spammed Sourceforce with porn and mawlare redirects are now doing it on, of all places, Flickr.
Instead of posting photos, however, they’re posting links, like this:
The links point to a URL shortener (for example, hxxp://1k.pl/ flickr), which then redirects through an interim page to something like this:
(We’ve removed the images, of course.)
Clicking on one of those links will give you malware — not a pleasant thing.
A list of the malicious URLs we were able to find are here.
Alex Eckelberry
(Hat tip to Patrick Jordan)
Recent reports of “imported hardware entering the US with hidden malware” are grossly exaggerated.
Occasionally, a virus creeps into some piece of hardware or software, but that’s because of shoddy manufacturing or just honest mistakes (it’s for this reason that every piece of software that Microsoft releases goes through a multi-engine virus check).
Sometimes, there’s just a blatant, err, false alarm. Then there’s the idiotic “Dell ships with a keylogger” hoaxes.
The supply chain is not inviolate, and there is a cyber security risk. However, there have been very, very few — if any – reports of malicious software being embedded maliciously into imported hardware.
I’m not going to be a pollyanna and say it can’t happen. But there’s a difference between “it could happen” and “it has happened”.
If you want to understand where this all comes from, it’s from a short exchange between Representative Chaffetz (who clearly believes this is happening daily) and DHS National Protection and Programs Directorate Greg Schaffer.
Schaffer actually missed the original question, and then, appearing a bit flatfooted, answers in the affirmative, and then Chaffetz states rhetorically that this is a problem. You can see the exchange for yourself at the 51 minute mark.
From this pebble we get a mountain?
Alex Eckelberry
Browser specific scams have mostly been seen in the realm of rogue AV attacks, but here’s one (located at update-center(dot)myftp(dot)org) that checks out your browsing credentials then sends you to one of the below locations for a fake flash update:
IE8: Redirected to usa(dot)gov. No fake flash for IE users. It’s a different story for Chome and Firefox, though.
Chrome 12.0.742.112: You’ll be asked to run “v11_flash_AV.exe”
Firefox 5.0: You’ll be asked to run “ff-update.exe”
According to our man Patrick Jordan, these slices of Malware are 2GCash variants. Breaking out the history books, he tells us:
“2GCash began around July 2008, and started with:
A) FakeCodec sites
B) Online Scanner Scam sites
C) Fake Crack Serial sites.
The primary function has always been click fraud transmission and Search Engine Results hijackings.
Their secondary function is to potentially bring down PDF exploits, rogues, and other types of malware.
In 2010 they started monitoring for VMware so you can only install them in a normal computer.
They also tend to rotate variants almost every 6 to 12 hours as a method to try and evade detection.”
We detect these as VirTool.Win32.Obfuscator.hg!b1 (v). Steer clear!
Christopher Boyd (thanks to Adam, Wendy and Patrick for finding this one & additional research)
Click to Enlarge
However, should you arrive at the following link, you’ll be bounced to one of those “Earn a fortune working from home” websites:
simpleonlinecareerlibrarydv(dot)tumblr(dot)com/Yz3Em
Click to enlarge
“Working from home leads to shocking money results”. It probably does if you get involved with one of these things.
Of course, they use geolocation to make it look like the “news site” is local to you – and it goes without saying the offer they have for you expires today. Move quickly!
In the opposite direction…
Christopher Boyd
Follow-up from our blog yesterday: The Search option is now no longer available on the Microsoft Safety and Security center.
The searches themselves are still there, just checking on Google.
Nevertheless, I have every reason to believe that Microsoft will sort this out fast. My personal experiences with their malware research and security teams have always been positive and I am certain they will get this issue resolved rapidly.
Alex Eckelberry
Update: Looks like we’re all clear — the searches have been cleaned-up.
.
The Microsoft Safety and Security Center has become a hot bed of porn redirects, and sleazy porn sites invariably lead to malware.
And there’s an interesting twist to how this occurred. Search poisoning, on its own, is no big deal. But in this case, something else is going on.
Since we’re a (sort of) PG 13 blog, I’ll give a mundane example: A person goes to the Microsoft Safety and Security center and types in “girl” in search box.
The search results have been poisoned. Even an innocous search such as this one returns nasty results (don’t click on the thumbnail if you’re offended by foul language):
(Searching for porn terms will yield some very nasty results. Most of the stuff is far too disturbing to post on this blog.)
Interesting SEO blackhatting: Why is this different? Normal search poisoning is where results come up that directly link to a site. However, blackhat SEOs have created Microsoft Security Center search results on specific terms. These terms include things like:
porn
you porn
free porn
free filipino porn video
prnhub
streaming
you tube sex
And even: “baby girl names”
You can see this with a Google search on microsoft.com:
(It’s ironic that only Microsoft Safety and Security Center searches are returning porn results. Nothing else at Microsoft.)
Since only specific terms are used, if you search using a different term, say “united nations”, you’ll get real, normal results.
In other words, blackhat SEOs are seeding illegimate search results within the Microsoft search results. Pretty tricky and impressive. There are a number of ways this could be done (for example, using the ability on the site to Twitter a search result).
Confused? You don’t need to be. Just know that inevitably, these types of things can lead to malware.
Just a bit of hunting around on the search results, and you might find something like this:
And pressing download gets you to a fake codec site, which pushes malware:
It’s Zugo,a Bing-branded search toolbar with a history of being installed through exploits and other misleading/deceptive means. It’s a a rather poetic twist of irony (unrelated to the search story here), that Zugo is a Microsoft Bing partner.
At any rate, let’s hope this all gets cleaned up soon…
